Typing Linear Constraints - Persone - Unipi

Typing Linear Constraints SALVATORE RUGGIERI Dipartimento di Informatica, Universit`a di Pisa, Italy FRED MESNARD IREMIA, LIM, Universit´e de la R´eunion, France We present a type system for linear constraints over the reals intended for reasoning about the input-output directionality of variables. Types model the properties of definiteness, range width or approximation, lower and upper bounds of variables in a linear constraint. Several proof procedures are presented for inferring the type of a variable and for checking validity of type assertions. We rely on theory and tools for linear programming problems, linear algebra, parameterized polyhedra and negative constraints. An application of the type system is proposed in the context of the static analysis of constraint logic programs. Type assertions are at the basis of the extension of well-moding from pure logic programming. The proof procedures (both for type assertion validity and for well-moding) are implemented and their computational complexity is discussed. We report experimental results demonstrating the efficiency in practice of the proposed approach. Categories and Subject Descriptors: I.2.2 [Artificial Intelligence]: Automatic programming; I.2.3 [Artificial Intelligence]: Deduction and theorem proving General Terms: Languages, Verification Additional Key Words and Phrases: Linear constraints, polyhedra, constraint logic programming, well-moding, definiteness

1. INTRODUCTION (Linear) constraint solving is naturally undirected, in the precise sense that there is no explicit set of input/output variables. As an example, let c be the linear constraint F = 9/5 * C + 32 stating the Fahrenheit-Celsius conversion rule. A constraint solver provided with c and a Celsius value C = 30 returns F = 86 as the solved constraint. Conversely, a constraint solver provided with c and a Fahrenheit value F = 77 returns C = 25 as the solved constraint. This extends to intervals, lower bounds and upper bounds as well. Assume that the Celsius temperature is known with some approximation (e.g., due to measurement error of a sensor) C = 30 ± 1, or, by adopting a different syntax, that 29 =< C, C =< 31. A constraint solver provided with c and a Celsius interval 29 =< C, C =< 31 returns as the solved constraint 84.2 =< F, F =< 87.8, or F = 86 ± 1.8.

Corresponding author’s address: S. Ruggieri, Dipartimento di Informatica, Universit` a di Pisa, Largo B. Pontecorvo 3, 56127 Pisa, Italy. e-mail: [email protected]. A preliminary version of the results presented in this paper appeared in [Ruggieri and Mesnard 2008]. Permission to make digital/hard copy of all or part of this material without fee for personal or classroom use provided that the copies are not made or distributed for profit or commercial advantage, the ACM copyright/server notice, the title of the publication, and its date appear, and notice is given that copying is by permission of the ACM, Inc. To copy otherwise, to republish, to post on servers, or to redistribute to lists requires prior specific permission and/or a fee. c 20YY ACM 0164-0925/20YY/0500-0001 $5.00 ° ACM Transactions on Programming Languages and Systems, Vol. V, No. N, M 20YY, Pages 1–40.

2

·

S. Ruggieri and F. Mesnard

Programming with constraints allows then for declaratively modelling a problem by generating the set of constraints among the variables at hand, and then letting a constraint solver find a solved form. Constraint generation can be as simple as feeding a constraint solver with a predetermined system of linear equalities and inequalities, as in the example above. Or it can assume more complex forms, requiring iteration, recursion or non-determinism. Constraint logic programming languages, for instance, adopt recursion, non-determinism and intertwined constraint generation & solving. The objective of this paper is twofold. As the first main contribution, we propose a type system that allows for reasoning on the input-output directionality of variables occurring in a linear constraint. The types considered include definiteness of a variable, namely it assumes a unique value; lower bound; upper bound; and maximum range width. These types allow for verifying that the solved form returned by a constraint solver satisfies the intended directionality, e.g., that a certain variable is definite, or that it has a variability range within a maximum threshold, or that it is upper/lower bounded. Recalling the Fahrenheit-Celsius conversion example, we will be able to conclude that if C is definite, then in the solved form of c also F is definite; or that if C is known with an approximation of ± 1, then in the solved form of c we have that F is known with an approximation of ± 1.8. Formally, type assertions are introduced in order to derive types implied by a constraint and a set of typed variables. The semantics of a type assertion is provided as a first order formula over the theory of the reals. However, a geometric view based on parameterized polyhedra will be considered in order to reason on type assertions. Validity of type assertions is thoroughly investigated by devising several checking and inference procedures. We proceed incrementally by first considering lower and upper bound types: the inference procedure relies on solving homogeneous linear programming problems. Next, we add definiteness by reasoning on the set of implicit equalities of the underlying linear constraint. Third, we tackle range width by computing the Minkowski’s form of a parameterized polyhedron. The procedures are sound and complete with respect to the appropriate subset of types. Moreover, the approach is extended to deal with constraints containing strict inequalities and disequalities. Finally, parameters are added to the languages of types in order to express range widths of parametric size. Recalling again the Fahrenheit-Celsius conversion example, we will be able to show that if C is known with an approximation of ±s, then in the solved form of c we have that F is known with an approximation of ±1.8s. The considered types can be useful for reasoning about variable directionality in programs and systems loosely coupled with a constraint solving library. Even more challenging is the case of programming languages that tightly integrate constraint solving. As another main contribution of this paper, we study how the type system can be adopted for reasoning over constraint logic programs, which represent a sophisticated scheme for programming with constraints. Modern constraint logic programming languages, such as Mercury [Somogyi et al. 1996; Becket et al. 2006], offer the notion of moding [Apt 1997] as program annotations allowing the programmer to specify the input-output behavior of predicate arguments. Modes are at the basis of compiler optimizations, program transformations and termination analyses. As an example, consider the MORTGAGE program over CLP(R). ACM Transactions on Programming Languages and Systems, Vol. V, No. N, M 20YY.

Typing Linear Constraints (m1)

mortgage(P,T,R,B) ← T = 0, B = P.

(m2)

·

3

mortgage(P,T,R,B) ← T >= 1, NP = P + P * 0.05 - R, NT = T - 1, mortgage(NP,NT,R,B).

The query ← mortgage(100, 5, 20, B) is intended for calculating the balance of a mortgage of 100 units after giving back 20 units per year for a period of 5 years. The answer provides an exact value (i.e., a real number) for the required balance, namely B = 17.12. Using the moding terminology, we say that given definite values for principal, time and repayment, in every (non-deterministically computed) answer we obtain a definite value for the balance. However, this is only one mode we can query the program above. The query ← 3 1, we reason by contraposition. Assume cT V(µ0 − µ00 ) > α for some µ0 , µ00 . Let m be such that cT Vm is maximum, and n be such that cT Vn is minimum. We have α < cT V(µ0 − µ00 ) = cT Vµ0 − cT Vµ00 ≤ cT Vm − cT Vn ≤ abs(cT Vm − cT Vn ) = abs(cT Vn − cT Vm ). This show our conclusion for some m ≤ n. Moreover, we claim that m 6= n. Otherwise we have cT Vi = cT Vj for every 1 ≤ i, j ≤ k, and then we can use any other index pair i, j such that i < j. Lemma 3.28. Proof. For a parameter instance u let us denote by V u the set of (instances of the) parameterized vertices whose domain includes u, namely: V u = {vu (i) | i = 1..k, Ci u ≤ ci }. If V u 6= ∅, let us denote by Vu a matrix whose columns are the vectors in V u . (If-part). Notice that the hypotheses imply that r ≥ 0. We first show the for-all statement. Let u be fixed. If Su = ∅, we are done. Otherwise, by Theorem 3.24, V u is not empty. Since cT R = 0, we calculate: Su = {cT x | x = Rλ + Vu µ, λ ≥ 0, µ ≥ 0, Σµ = 1} = {z | z = cT Vu µ, µ ≥ 0, Σµ = 1}. Moreover, since u belongs to the domains of all the vertices in Vu , for every pair vu (m), vu (n) of them Sol(Pm,n ) 6= ∅. By hypothesis, we then have: abs(cT vu (m) − cT vu (n)) ≤ r.

(5)

For x, y ∈ Su , abs(x − y) can be rewritten as abs(cT Vu (µx − µy )), for some µx ≥ 0, Σµx = 1, µy ≥ 0, Σµy = 1. By Lemma A.5, this and (5) imply abs(x − y) ≤ r. Next, let us show the existential statement. If r = 0 the conclusion holds by considering any u such that Su 6= ∅ (at least one exists, since the parameterized polyhedron is assumed not to be empty). For any x ∈ Su , we have abs(x − x) = 0. If r > 0, by assumption there exists m, n be such that cT va (m) 'r cT va (n) over Pm,n , with Sol(Pm,n ) 6= ∅. By Definition 3.25, there exists u ∈ Sol(Pm,n ) such that abs(cT vu (m) − cT vu (n)) = r. The conclusion then follows by noting that x = cT vu (m) and y = cT vu (n) belong to Su since vu (m) and vu (n) are in Vu . (Only-If part). We show the contrapositive of the three conclusions. First, if cT R 6= 0, consider any u in Sol(C1 a ≤ c1 ). Notice that k ≥ 1 since the parameterized polyhedron is assumed not to be empty, and Sol(C1 a ≤ c1 ) 6= ∅ by Theorem 3.24. We have: Su = {cT x | x = Rλ + Vu µ, λ ≥ 0, µ ≥ 0, Σµ = 1} = {z | z = cT Rλ + cT Vu µ, λ ≥ 0, µ ≥ 0, Σµ = 1}. ACM Transactions on Programming Languages and Systems, Vol. V, No. N, M 20YY.

Typing Linear Constraints

·

App–11

Let Rj be a column of R such that cT Rj = α 6= 0. By fixing λi = 0 for i 6= j, we get that cT Rλ = αλj . By fixing µ in any way such that µ ≥ 0, Σµ = 1, we also have cT Vu µ = β, for some β. Summarizing, Su includes αλj + β for every λj ≥ 0. Hence, abs(x − y) cannot be bounded by any r for every x, y ∈ Su . Second, assume that there exist 1 ≤ m < n ≤ k such that Sol(Pm,n ) 6= ∅ and for every s ≤ r, cT va (m) 6's cT va (n) over Pm,n . This implies that there exists u in Sol(Pm,n ) such that abs(cT vu (m) − cT vu (n)) > r. By fixing µi = 0 for i 6= m and µm = 1, we define x = Vu µ = vu (m). Analogously, by fixing µi = 0 for i 6= n and µn = 1, we define y = Vu µ = vu (n). It turns out x = cT x, y = cT y belong to: {cT x | x = Vu µ, µ ≥ 0, Σµ = 1} = {z | z = cT Vu µ, µ ≥ 0, Σµ = 1} ⊆ Su , and abs(x − y) > r. Third, we have to show that if r 6= rˆ, where: rˆ = max({0} ∪ {s | 1 ≤ m < n ≤ k, Sol(Pm,n ) 6= ∅, cT va (m) 's cT va (n) over Pm,n }), then: (a) for some u, and some x, y ∈ Su , abs(x − y) > r; or (b) for every u, and every x, y ∈ Su , abs(x − y) < r. Without any loss of generality, we can assume that for 1 ≤ m < n ≤ k, Sol(Pm,n ) = ∅ or cT va (m) 's cT va (n) over Pm,n for some s ≤ r (otherwise, we can apply the previous part of the proof to obtain (a)). This trivially implies rˆ ∈ R and r ≥ rˆ. Therefore, we can assume r > rˆ. We will show (b) by absurd. Assume that (b) does not hold, namely there exist u and x, y ∈ Su , abs(x − y) ≥ r > rˆ. Since we can assume cT R = 0 (already shown), we calculate: Su = {cT x | x = Rλ + Vu µ, λ ≥ 0, µ ≥ 0, Σµ = 1} = {z | z = cT Vu µ, µ ≥ 0, Σµ = 1}. Thus, abs(x − y) > rˆ can be rewritten as abs(cT Vu (µx − µy )) > rˆ, for some µx ≥ 0, Σµx = 1, µy ≥ 0, Σµy = 1. By Lemma A.5, there exist m0 , n0 such that u T u u abs(cT Vm ˆ. For some m, the column Vm 0 − c Vn0 ) > r 0 corresponds to an instance u u u of a parameterized vertex v (m), i.e., Vm0 = v (m). Analogously, for some n, Vnu0 = vu (n). Also, we can assume m < n since we are considering absolute values. Therefore, we can conclude that there exist 1 ≤ m < n ≤ k such that Sol(Pm,n ) 6= ∅, since u ∈ Sol(Pm,n ), and such that abs(cT vu (m) − cT vu (n)) > rˆ. This is impossible by definition of rˆ. Theorem 3.30 [(POLYInfer - soundness and completeness)]. Proof. Working on n = nf (d1 ) at Step 0 is sound and complete by Lemma A.1; while working on d = n|B is sound and complete by Theorem 3.22. Also, by Lemma A.1, each variable x in v can be considered separately. Finally, we recall that Lemma 3.28 provides necessary and sufficient conditions for computing the minimum r such that d ` c → x : 2r is valid. (Soundness) Step 4 is justified by Soundness of LPInfer. Step 5 is justified by the if-part of Lemma 3.28 instantiated by fixing cj = 0 for j 6= i, and ci = 1, so that cT vc = x. Notice that, since r ≥ 0 by its definition, 2r is a type (in BT ). (Completeness) Assume that d ` c → x : τ is valid. ACM Transactions on Programming Languages and Systems, Vol. V, No. N, M 20YY.

·

App–12

S. Ruggieri and F. Mesnard

If x 6∈ vc = vars(c) then the output of LPInfer is complete, since validity of d1 ` c → x : τ is equivalent to check nf (d1 ) ≥t x : τ . This is dealt with at Step 3 of LPInfer, as shown in the proof of Theorem 3.7. If τ 6= 2 then the output of LPInfer is complete again: for τ = ! there cannot be any more general answer type; for 2 >t τ there cannot be any more general answer, otherwise LPInfer would have answered τ = 2. If x ∈ vc and τ = 2 the test at Step 5 (a,b) is complete by the only-if part of Lemma 3.28. A.6 Section 3.5 Next lemma states that if we are given a point x in an hyperplane and a point y outside it, the segment from x to y lies outside the hyperplane, except for x. Lemma A.6. Let cT x = α and cT y 6= α. For every 0 ≤ λ < 1, called z = λx + (1 − λ)y, we have cT z 6= α. Proof. We have cT z > α iff λcT x + (1 − λ)cT y > α iff λα + (1 − λ)cT y > α iff (1 − λ)cT y > α(1 − λ) and finally, since λ < 1, iff cT y > α. The case of cT z < α is analogous. Let us provide a set oriented characterization of generalized constraints. Vm Lemma A.7. Let g = c ∧ i=1 ei 6= αi be a generalized linear constraint. We have: m \ Sol(g) = Sol(c) \ Sol(ei = αi ). i=1

Proof. Sol(g) = Sol(

m ^

(c ∧ ei 6= αi )) =

i=1

=

m \ i=1

m \

Sol(c ∧ ei 6= αi )

i=1

Sol(c) ∩ Sol(ei 6= αi ) =

m \

Sol(c) \ Sol(ei = αi ).

i=1

The next result can be interpreted geometrically as V follows. Given a point x in m the solution set of a generalized linear constraints c ∧ i=1 ei 6= αi , and a point y in the polyhedron Sol(c), the hyperplanes ei = αi intersect the segment from x to y in finitely many points. Vm Lemma A.8. Let g = c ∧ i=1 ei 6= αi be a generalized linear constraint. For every x ∈ Sol(g) and y ∈ Sol(c) there exists 0 < λ < 1 such that, for every 0 < λ0 ≤ λ, λ0 x + (1 − λ0 )y ∈ Sol(g). Proof. The proof is by induction on m. For m = 0 the result is immediate for any 0 < λ < 1 since Sol(g) = Sol(c) is a convex set. Consider the inductive step. If for every 0 < λ0 < 1, λ0 x + (1 − λ0 )y ∈ Sol(g) then we are done with any 0 < λ < 1. Assume then some 0 < λ1 < 1 such that y1 = λ1 x + (1 − λ1 )y 6∈ Sol(g). Let J be the set of all j ∈ {1, . . . , m} such that y1 ∈ Sol(ej = αj ). By Lemma A.7, J 6= ∅. We observe that y 6∈ Sol(ej = αj ) for every j ∈ J. Otherwise, since x is ACM Transactions on Programming Languages and Systems, Vol. V, No. N, M 20YY.

Typing Linear Constraints

·

App–13

a linear combination of y and y1 (namely, x = y1 /λ1 − (1 − λ1 )/λ1 y), it would belong to some Sol(ej = αj ) with j ∈ J. But this is impossible since x ∈ Sol(g) implies, by Lemma A.7, x 6∈ Sol(ej = αj ) for j = 1..m. By Lemma A.6 applied to y1 and y, we have that for every 0 ≤ λ0 < 1 and j ∈ J, z = λ0 y1 + (1 − λ0 )y 6∈ Sol(ej = αj ), i.e., the segment from y1 to y does not belong to Sol(ej = αj ), except for y1 . V By inductive hypothesis on g1 = c ∧ i∈{1,...,m}\J ei 6= αi , y1 (which is in Sol(g1 )) and y (which is in Sol(c)), there exists 0 < λ2 < 1 such that, for every 0 < λ0 ≤ λ2 , z = λ0 y1 + (1 − λ0 )y ∈ Sol(g1 ). In addition, we have shown that z 6∈ Sol(ej = αj ), for j ∈ J. Therefore, by Lemma A.7, z ∈ Sol(g). The conclusion now follows by obvserving that z can be rewritten as λ0 x+(1−λ0 )y for 0 < λ0 ≤ λ, where λ = λ1 λ2 . Since Sol(g) can be an open set, we write sup{cT x | x ∈ Sol(g)} to denote the supremum, instead of max{cT x | x ∈ Sol(g)} to denote the maximum. Vm Lemma A.9. Let g = c ∧ i=1 ei 6= αi be a satisfiable generalized linear constraint. We have: sup{cT x | x ∈ Sol(g)} ∈ R iff max{cT x | x ∈ Sol(c)} ∈ R. Proof. The if part follows since ∅ ⊂ Sol(g) ⊆ Sol(c). Consider now the only-if part. Let α = sup{cT x | x ∈ Sol(g)} ∈ R. Since g is satisfiable, there exists x0 ∈ Sol(g), and α ≥ cT x0 . Since Sol(g) ⊆ Sol(c), we have that {cT x | x ∈ Sol(c)} 6= ∅. We claim that max{cT x | x ∈ Sol(c)} ≤ α, which yields the conclusion. Assume, by absurd, that there exists x1 ∈ Sol(c) such that cT x1 = β > α ≥ cT x0 . By Lemma A.8, there exists 0 < λ < 1 such that z = λx0 + (1 − λ)x1 ∈ Sol(g) for every 0 < λ0 ≤ λ. For λ0 = min{λ, (β/2 − α/2)/(β − cT x0 )}, we have: cT z = λ0 cT x0 + (1 − λ0 )cT x1 = λ0 (cT x0 − β) + β ≥ −(β/2 − α/2) + β = (β + α)/2 > α. But this is impossible by definition of α. Theorem 3.31. Proof. The if-part is immediate: since R |= g → c, by reasoning as in the proof of Lemma 2.8, which does not rely on linearity of the underlying constraints, we have the conclusion. Consider now the only-if part. The proof is by induction on the length of d2 . When it is empty, there is nothing to be shown. Assume now d2 = x : τ, d3 . By inductive hypothesis, we have d1 ` c → d3 . Thus we are left with showing d1 ` c → x : τ . Let us consider the possible values for type τ . (x : ?) There is nothing to be shown. (x : u) Since g is satisfiable, g ∧ φ(d1 ) is satisfiable as well in the space of variables plus parameters. Let [x0 |u0 ] ∈ Sol(g ∧ φ(d1 )). Since d1 ` g → x : u is valid, sup{x | x ∈ Sol(g ∧ φ(d1 ) ∧ υ(d1 ) = u0 )} ∈ R. By Lemma A.9, we have: max{x | x ∈ Sol(c ∧ φ(d1 ) ∧ υ(d1 ) = u0 )} ∈ R. Since c contains no disequality, this can be rewritten in the space of variables as max{x | x ∈ Sol(c ∧ φ(d1 ), u0 )} ∈ R. We are now in the hypotheses of Theorem A.3 to conclude that max{x | x ∈ Sol(H)} = 0, where H is the homogeneous version of c ∧ φ(d1 ). By Lemma 3.5, we conclude that d1 ` c → x : u. (x : t) Same reasoning as in (x : u) but maximizing −x instead of x. (x : 2) It reduces to the cases (x : u) and (x : t). ACM Transactions on Programming Languages and Systems, Vol. V, No. N, M 20YY.

App–14

·

S. Ruggieri and F. Mesnard

(x : 2r ) Since g is satisfiable, g ∧ φ(d1 ) is satisfiable as well in the space of variables plus parameters. Let [x0 |u0 ] ∈ Sol(g ∧ φ(d1 )). Consider now an instance u of parameters in υ(d1 ). In order to conclude d1 ` c → x : 2r , we have to show that for every y, z ∈ {x | x ∈ Sol(c ∧ φ(d1 ), u)}, abs(y −z) ≤ r. By absurd, assume that, without any loss of generality, y −z > r for some y, z. Then, there exist [y|u], [z|u] ∈ Sol(c ∧ φ(d1 )) such that the x dimension values of y and z are y and z respectively. By Lemma A.8, there exist 0 < λy and 0 < λz such that for every 0 < λy ≤ λy and 0 < λz ≤ λz : · ¸ · ¸ λy x0 + (1 − λy )y λz x0 + (1 − λz )z , ∈ Sol(g ∧ φ(d1 )). λy u0 + (1 − λy )u λz u0 + (1 − λz )u By choosing λ < min{λy , λz , 1 − r/(y − z)}, and called: y1 = λx0 + (1 − λ)y,

z1 = λx0 + (1 − λ)z,

u1 = λu0 + (1 − λ)u,

we have: [y1 |u1 ], [z1 |u1 ] ∈ Sol(g ∧ φ(d1 )). This implies that: {x | x ∈ Sol(g ∧ φ(d1 ), u1 )} ⊇ {y1 , z1 }, where, called x0 the value of the x dimension of x0 , y1 = λx0 + (1 − λ)y and z1 = λx0 +(1−λ)z. We have that y1 −z1 = (1−λ)(y −z) > r since λ < 1−r/(y −z). But this is impossible. A.7 Section 3.6 First, we introduce notation for denoting type variables occurring in an atd x : 2e , and for denoting the primitive constraint e ≥ 0 which is part of φ(x : 2e ). Definition A.10. We define the set of type variables occurring in an atd as: pvars(x : 2e ) = vars(e) and pvars(x : τ ) = ∅ for τ ∈ BT 2 . Also, we define the constraint on parametric expressions in an atd as: Φ(x : 2e ) is e ≥ 0, and Φ(x : τ ) is true for τ ∈ BT 2 . The notions readily extend to type declarations by defining: pvars(d1 , . . . , dn ) = ∪i=1..n pvars(di )

Φ(d1 , . . . , dn ) = ∧i=1..n Φ(di ).

Let us show first two results dealing with local type variables. Lemma 3.36. Proof. Let us denote pv = pvars(d1 ). Called s a local type variable in e, and l the remaining local type variables (possibly none), e can be written as e = αs + cT1 l + cT2 pv + r, where α 6= 0 and r ∈ R. Validity of d1 ` c → x : 2e consists of showing the formula (1) in Definition 2.4, which can be rewritten as follows: ∀pv∀υ(d1 ) \ pv∃a, s, l ∀v.(φ(d1 ) ∧ c) → (a ≤ x ≤ a + e ∧ e ≥ 0).

(6)

If this is true, by defining b = a + e (all the variables in υ(d1 ) being fixed) the following holds: ∀pv∀υ(d1 ) \ pv∃a, b ∀v.(φ(d1 ) ∧ c) → (a ≤ x ≤ b), namely d1 ` c → x : 2 is valid. Conversely, if this is true, by defining l = 0, s = (b − a − cT2 pv − r)/α, we have that e = b − a and then (6) holds. ACM Transactions on Programming Languages and Systems, Vol. V, No. N, M 20YY.

Typing Linear Constraints

·

App–15

Lemma 3.38. Proof. Let us denote pv = pvars(d1 ). Validity of d1 ` c → (d2 , d3 ) consists of showing the formula (1) in Definition 2.4, which can be rewritten as follows: ∀pv∀υ(d1 ) \ pv∃υ(d2 , d3 ) \ pv∀v.(φ(d1 ) ∧ c) → (φ(d2 ) ∧ φ(d3 )). No local type variable means that an existentially quantified variable in υ(d2 , d3 ) \ pv appears either in φ(d2 ) or in φ(d3 ), but not in both. Therefore, the formula above can be rewritten as: ∀pv∀υ(d1 ) \ pv

(∃υ(d2 ) \ pv∀v.(φ(d1 ) ∧ c) → φ(d2 )) ∧(∃υ(d3 ) \ pv∀v.(φ(d1 ) ∧ c) → φ(d3 )),

which reduces to validity of both d1 ` c → d2 and d1 ` c → d3 . Lemma 3.40. Proof. The only-if part is trivial. Concerning the if part, consider any solution (v0 , a0 ) ∈ Sol(Ad v ≤ Bd a) 6= ∅. Let u0 be the restriction of a0 to variables in pv = pvars(d). Let d0 be obtained by replacing every x : 2e in d by x : 2e[pv/u0 ] . Since e[pv/u0 ] ≥ 0 is in Ad v0 ≤ Bd a0 , we have that e[pv/u0 ] reduces to a nonnegative real number. Thus, d0 is a type declaration in BT , and: φ(d0 ) = φ(d)[pv/u0 ] υ(d0 ) = υ(d) \ pv, modulo trivially true primitive constraints e[pv/u0 ] ≥ 0. Consider now the parameterized linear system P 0 = φ(d0 ) ∧ c. By Lemma 3.4, c satisfiable implies that there exists u1 instance of parameters υ(d0 ) such that Sol(P 0 , u1 ) 6= ∅. By observing that P 0 = P[pv/u0 ], we conclude that (u0 , u1 ) is an instance of υ(d) such that Sol(P, (u0 , u1 )) = Sol(P 0 , u1 ) 6= ∅. Type assertions in presence of parametric types can be instantiated by assigning real number values u to type variables pv. The instantiation is a type assertions in the type system BT if all instantiated type expressions e[pv/u] satisfy the requirement e[pv/u] ≥ 0, namely if 2e[pv/u] ∈ BT . Next definition introduces such instances for type assertions without local variables. Definition A.11. Let d1 ` c → d2 be such that pvars(d2 ) ⊆ pvars(d1 ). A consistent instance of pv = pvars(d1 ) is any u ∈ R|pv| such that Φ(d1 )[pv/u]∧ Φ(d2 )[pv/u] is true. The requirement pvars(d2 ) ⊆ pvars(d1 ) is equivalent to assume no local type variable in the type assertion. We are now in the position to restate validity of type assertions with parametric types in terms of validity of type assertions in the BT type system and a further condition. Condition (ii) in the next lemma is needed to cover contrived type assertions, such as the one highlighted in Example 3.50, where for the type assertion x : 2s , y : 2r ` z = 0 → z : 2s−r : all consistent instances lead to valid type assertions, i.e., (i) holds; but the type assertion is not valid due to inconsistent instances such as s = 0, r = 1. Lemma A.12. Let d1 ` c → d2 be a type assertion such that pvars(d2 ) ⊆ pvars(d1 ). d1 ` c → d2 is valid iff called pv = pvars(d1 ): ACM Transactions on Programming Languages and Systems, Vol. V, No. N, M 20YY.

App–16

·

S. Ruggieri and F. Mesnard

(i). for every u consistent instance of pv we have that d1 [pv/u] ` c → d2 [pv/u] is valid in the BT type system; (ii). and, Sol(c) = ∅ or ∀pv.Φ(d1 ) → Φ(d2 ) is valid in the domain of the reals. Proof. Validity of d1 ` c → d2 consists of showing validity of the formula (1) in Definition 2.4, which can be rewritten as: ∀pv∀υ(d1 ) \ pv∃υ(d2 ) \ pv∀v.(φ(d1 ) ∧ c) → φ(d2 ). This holds iff for every u ∈ R|pv| , the following holds: ∀υ(d1 ) \ pv∃υ(d2 ) \ pv∀v.(φ(d1 )[pv/u] ∧ c) → φ(d2 )[pv/u].

(7)

(If-part). We show that (7) holds. When u is a consistent instance, this follows from (i), since (7) is equivalent to the Definition 2.4 (1) formula of d1 [pv/u] ` c → d2 [pv/u], except for the fact that the Φ(d1 ) and Φ(d2 ) constraints appear in the formula. However, since u is a consistent instance, they are trivially satisfied. Assume now that u is not a consistent instance. If Sol(c) = ∅ then the conclusion readily follows. Also, it follows if Φ(d1 )[pv/u] is false, since it is a conjunct of φ(d1 )[pv/u]. Finally, when Φ(d1 )[pv/u] is true, the hypothesis ∀pv.Φ(d1 ) → Φ(d2 ) implies that Φ(d2 )[pv/u] is true as well. However, this and Φ(d1 )[pv/u] contradict the assumption that u is not a consistent instance. (Only-if part). (i) follows from (7), which is equivalent to the Definition 2.4 (1) formula of d1 [pv/u] ` c → d2 [pv/u], except for the fact that the Φ(d1 ) and Φ(d2 ) constraints appear in the formula. However, since u is a consistent instance, we have that they reduce to the true constraint. (ii) If Sol(c) = ∅ then then (ii) readily follows. Assume then Sol(c) 6= ∅ and that for some u0 instance of pv we have that Φ(d1 )[pv/u0 ] → Φ(d2 )[pv/u0 ] is false, namely Φ(d1 )[pv/u0 ] ∧ ¬Φ(d2 )[pv/u0 ] is true. Given v0 ∈ Sol(c), it can be extended to a solution of φ(d1 )[pv/u0 ] ∧ c by setting parameters in a = υ(d1 ) \ pv to the value of variables in v0 they constraint. As an example, for φ(x : 2s ) = a ≤ x ≤ a + s ∧ s ≥ 0 we choose for a the value of x in v0 (this choice also satisfies x ≤ a + s since s ≥ 0 is assumed by Φ(d1 )[pv/u0 ]). By (7), φ(d1 )[pv/u0 ] ∧ c implies φ(d2 )[pv/u0 ], and then Φ(d2 )[pv/u0 ] which is part of it. This is absurd since ¬Φ(d2 )[pv/u0 ] was assumed. By using the characterization of validity of type assertions with parametric types in terms of validity of type assertions in BT , we can extend to parametric types results that hold in BT . Theorem 3.43 [(Definiteness III)]. Proof. In the following we can ignore condition (ii) of Lemma A.12 since either it holds for both d ` c → x : 2e and d|B ` c → x : 2e or for none. By Lemma A.12, d ` c → x : 2e is valid iff for every u consistent instance of pv = pvars(d1 ), the type assertion d[pv/u] ` c → x : 2e [pv/u] is valid. By Theorem 3.22, called B0 = BT \ BT 2 , this holds iff d[pv/u]|B0 ` c → x : 2e [pv/u] is valid. Since the restriction to B 0 simply removes atd’s with types in BT 2 , we observe that d[pv/u]|B0 = d|B [pv/u]. Summarizing, d ` c → x : 2e is valid iff for every u consistent instance of pv, the type assertion d|B [pv/u] ` c → x : 2e [pv/u] is valid. By Lemma A.12, this is equivalent to validity of d|B ` c → x : 2e . ACM Transactions on Programming Languages and Systems, Vol. V, No. N, M 20YY.

Typing Linear Constraints

·

App–17

Lemma 3.46. Proof. Notice that since Sol(Ax ≤ b) 6= ∅, its generating and vertex matrices R and V exist. Let us set c = c1 − c2 and α = α1 − α2 . It is immediate to observe that cT1 x + α1 ¹e cT2 x + α2 iff cT x + α ¹e 0. (If-part). For every x0 such that Ax0 ≤ b holds, there exists λ, µ ≥ 0 with Σµ = 1T µ = 1 such that x0 = Rλ + Vµ. We distinguish two cases. First, consider abs(cT x0 + α) = cT x0 + α. We have cT x0 + α = cT Rλ + T c Vµ + 1T µα ≤ cTe Rλ + cTe Vµ + 1T µr = cTe x0 + r by exploiting the hypotheses (c − ce )T R ≤ 0 and (c − ce )T V + (α − r)1T ≤ 0. Second, consider abs(cT x0 + α) = −cT x0 − α. We have −cT x0 − α = −cT Rλ − T c Vµ − 1T µα ≤ cTe Rλ + cTe Vµ + 1T µr = cTe x0 + r by exploiting the hypotheses (−c − ce )T R ≤ 0 and (−c − ce )T V + (−α − r)1T ≤ 0. (Only-if part) Let Vk be any column of V. If (c − ce )T R 6≤ 0 then there exists a column Rj of R such that (c − ce )T Rj > 0. By choosing λi = 0 for i 6= j, µi = 0 for i 6= k and µk = 1, for x0 = Rλ + Vµ we get cT x0 + α = cT Rλ + cT Vµ + α = cT Rj λj + cT Vk + α 6≤ cTe Rj λj + cTe Vk + r = cTe x0 + r, since (c − ce )T Rj > 0 and λj can be any positive real number. For some λj , we can then conclude abs(cT x0 + α) ≥ cT x0 + α > cTe x0 + r. If (−c−ce )T R 6≤ 0 then there exists a column Rj of R such that (−c−ce )T Rj > 0. By choosing λi = 0 for i 6= j, µi = 0 for i 6= k and µk = 1, for x0 = Rλ + Vµ we get −cT x0 −α = −cT Rλ−cT Vµ−α = −cT Rj λj −cT Vk −α 6≤ cTe Rj λj +cTe Vk + r = cTe x0 + r, since (−c − ce )T Rj > 0 and λj can be any positive real number. For some λj , we can then conclude abs(cT x0 + α) ≥ −cT x0 − α > cTe x0 + r. If (c − ce )T V + (α − r)1T 6≤ 0 then there exists a column Vj of V such that (c − ce )T Vj + (α − r) > 0. By choosing λ = 0, µi = 0 for i 6= j and µj = 1, for x0 = Rλ + Vµ we get cT x0 + α = cT Rλ + cT Vµ + α = cT Vj + α 6≤ cTe Vj + r = cTe x0 + r. This implies abs(cT x0 + α) ≥ cT x0 + α > cTe x0 + r. If (−c − ce )T V + (−α − r)1T 6≤ 0 then there exists a column Vj of V such that (−c − ce )T Vj + (−α − r) > 0. By choosing λ = 0, µi = 0 for i 6= j and µj = 1, for x0 = Rλ + Vµ we get −cT x0 − α = −cT Rλ − cT Vµ − α = −cT Vj − α 6≤ cTe Vj + r = cTe x0 + r. This implies abs(cT x0 + α) ≥ −cT x0 − α > cTe x0 + r. Lemma 3.47. Proof. For a parameter instance u let us denote by V u the set of (instances of the) parameterized vertices whose domain includes u, namely: V u = {vu (i) | i = 1..k, Ci u ≤ ci }. If V u 6= ∅, let us denote by Vu the matrix whose columns are the vectors in V u . Consider the if-part. Let u be fixed. If Su = ∅, we are done. Otherwise, V u cannot be empty. Since cT R = 0 (assumption (i)), we calculate: Su = {cT x | x = Rλ + Vu µ, λ ≥ 0, µ ≥ 0, Σµ = 1} = {z | z = cT Vu µ, µ ≥ 0, Σµ = 1}. Notice that for x, y ∈ Su , abs(x − y) can then be rewritten as abs(cT Vu (µx − µy )), for some µx ≥ 0, Σµx = 1, µy ≥ 0, Σµy = 1. Moreover, by (iii), cTe u + r ≥ 0. These last two statements and assumption (ii) allow for applying Lemma A.5 to conclude abs(x − y) ≤ cTe u + r for every x, y ∈ Su . ACM Transactions on Programming Languages and Systems, Vol. V, No. N, M 20YY.

App–18

·

S. Ruggieri and F. Mesnard

Consider now the only-if part. We show the contrapositive. (i). If cT R 6= 0, consider any u in Sol(C1 a ≤ c1 ). Notice that k ≥ 1 since the parameterized polyhedron is assumed not to be empty, and Sol(C1 a ≤ c1 ) 6= ∅ by Theorem 3.24. We have: Su = {cT x | x = Rλ + Vu µ, λ ≥ 0, µ ≥ 0, Σµ = 1} = {z | z = cT Rλ + cT Vu µ, λ ≥ 0, µ ≥ 0, Σµ = 1}. Let Rj be a column of R such that cT Rj = α 6= 0. By fixing λi = 0 for i 6= j, we get that cT Rλ = αλj . By fixing µ in any way such that µ ≥ 0, Σµ = 1, we also have cT Vu µ = β, for some β. Summarizing, Su includes αλj + β for every λj ≥ 0. Hence, abs(x − y) cannot be bounded by cTe u + r for every x, y ∈ Su . (ii). Consider a pair 1 ≤ m < n ≤ k such that cT va (m) 6¹e cT va (n) over Pm,n . Then there exists u ∈ Sol(Pm,n ) such that abs(cT vu (m) − cT vu (n)) > cTe u + r. By fixing µi = 0 for i 6= m and µm = 1, we define x = Vu µ = vu (m). Analogously, by fixing µi = 0 for i 6= n and µn = 1, we define y = Vu µ = vu (n). It turns out x = cT x, y = cT y belong to: {cT x | x = Vu µ, µ ≥ 0, Σµ = 1} = {z | z = cT Vu µ, µ ≥ 0, Σµ = 1} ⊆ Su , and abs(x − y) > cTe u + r. (iii) By Theorem 3.24, Sol(Ci a ≤ ci ) 6= ∅ for i = 1..k. Therefore, the negation of condition (iii) is equivalent to assume that for some i in 1..k, there exists u ∈ Sol(Ci a ≤ ci ) such that cTe u + r < 0. By Theorem 3.24 again, Su 6= ∅ – at least vu (i) belongs to it. Therefore, for any x ∈ Su , we have abs(x−x) = 0 > cTe u+r. Lemma 3.49. Proof. x0 ∈ Sol(Ax ≤ b) iff x0 = Rλ + Vµ for some λ, µ ≥ 0 and Σµ = 1T µ = 1. Then: cTe x0 + r = cTe Rλ + cTe Vµ + r1T µ = cTe Rλ + (cTe V + r1T )µ. The if part is immediate, namely cTe x0 + r ≥ 0 since cTe R, λ, (cTe V + r1T ) and µ contains only non-negative elements. The only-if part follows by contraposition. If for some x0 , we have cTe x0 + r < 0 then cTe Rλ or (cTe V + r1T )µ is a negative number. Since λ, µ ≥ 0, this implies that cTe R 6≥ 0 or (cTe V + r1T ) 6≥ 0. Theorem 3.51 [(ParCheck - soundness and completeness)]. Proof. Working on d = d1 |B is sound and complete by Theorem 3.43. (Soundness) Step 2 is justified by the if-part of Lemma 3.40. Step 4 is justified by the if-part of Lemma 3.47 instantiated by fixing cj = 0 for j 6= i, and ci = 1, so that cT v = x. Also, since there is no local type variable in x : 2e , e can be written as a linear combination of type variables in d1 . Since pvars(d1 ) ⊆ υ(d1 ) = a, the assumption of Lemma 3.47 that e is of the form cTe a+r is satisfied. (Completeness) Assume that d ` c → x : 2e is valid, and consider the parameterized system P = φ(d) ∧ c. Unsatisfiability of P is checked by Step 2, using the conditions of Lemma 3.40. Step 4 deals with the case when P is satisfiable by checking the conditions of Lemma 3.47.

ACM Transactions on Programming Languages and Systems, Vol. V, No. N, M 20YY.

Typing Linear Constraints

·

App–19

Lemma 3.52. Proof. Let P be the parameterized linear system φ(d1 ) ∧ c. Since φ(d1 ) is satisfiable, by Lemma 3.40, P is satisfiable iff c is satisfiable. Therefore, for P unsatisfiable the conclusion holds since both d1 ` c → x : τ and d01 ` c → x : τ are valid. Assume now P satisfiable. Let P 0 be the parameterized linear system φ(d01 ) ∧ c. By construction of d01 , the homogeneous versions of P and P 0 coincide. For instance, the homogeneous version of φ(x : 2e ) = a ≤ x ≤ a + e ∧ 0 ≤ e is x = 0 ∧ 0 ≤ 0, which (up to the true inequality 0 ≤ 0) coincides with the homogeneous version of φ(x : 2) = a ≤ x ≤ b. By Lemma 3.5: d01 ` c → x : u is valid iff max{vi | v ∈ Sol(H0 )} = 0, where vi = x an H0 is the homogeneous version of P 0 . Since P is satisfiable, an immediate extension of Lemma 3.5 to parametric types allows for concluding: d1 ` c → x : u is valid iff max{vi | v ∈ Sol(H)} = 0, where H is the homogeneous version of P. Our conclusion then follows since H = H0 . A.8 Section 3.7 Theorem 3.53. Proof. By Theorem 3.19 and Lemma 2.17, Check(IEInfer) is a decision procedure, complete for BT ! . Its complexity is polynomial by observing that: —LPInfer has polynomial time complexity when adopting a polynomial time algorithm for linear programming [Khachiyan 1979]; —computing the set of implicit equalities for a system of n inequalities can be done by solving at most n linear programming problems [Greenberg 1996, Corollary 7.4], which, again, requires polynomial time; —Gaussian elimination has polynomial time complexity [Schrijver 1986].

A.9 Section 4.2 The operational semantics of CLP(R) programs is specified in terms of derivations from states to states [Jaffar and Maher 1994; Jaffar et al. 1998]. Here, we consider derivations via the leftmost selection rule. A state h ← [c, ]A1 , . . . , An kc0 i is reduced to another state, called a resolvent, as follows: R1. If a linear constraint c appears at the left of the query, and c ∧ c0 is satisfiable, the resolvent is h ← A1 , . . . , An kc0 ∧ ci. R2. If an atom A1 = p(x1 , . . . , xh ) appears at the left of the query, and p(y1 , . . . , yh ) ← c, B1 , . . . , Bk is a renamed apart clause from P , then the resolvent is: ^ h ← c, B1 , . . . , Bk , A2 , . . . , An kc0 ∧ xi = yi i. i=1..h

A derivation from a state S is a (finite or infinite) maximal sequence of states S0 = S, S1 , . . . , Sn , . . . such that there is a reduction from Si to Si+1 , for i ≥ 0. A derivation for a query Q is a derivation from hQktruei. The last state of a finite derivation is of the form hQkci. If Q is not empty, the derivation is failed. Otherwise, it is successful, or a refutation, and c is called the answer constraint. ACM Transactions on Programming Languages and Systems, Vol. V, No. N, M 20YY.

App–20

·

S. Ruggieri and F. Mesnard

Theorem 4.5. Proof. (Persistency). It is a special case of the more general Theorem 4.18, which will be shown in Appendix A.11. (Call patterns). The state h ← q(x : τ × µ), Rk c0 i is well-moded by persistency. From the definition of well-moded states (i = 1 and c = true), we have that ` c0 → x : τ is valid. (Answers). Consider the program P 0 defined as P plus the unit clause: p(x1 : µ1 × ?, . . . , xn : µn × ?) ← true. where p is a fresh predicate symbol, and the query Q0 = Q, p(x1 , . . . , xn ). P 0 and Q0 are well-moded since P and Q are well-moded. Under our hypotheses, there exists a derivation from the query Q0 to the state h ← p(x1 , . . . , xn ) | c0 i. By the call pattern conclusion, we obtain ` c0 → x1 : µ1 , . . . , xn : µn . A.10 Section 4.3 We recall that a term substitution θ is represented by a finite set {x1 /t1 , . . . , xn /tn } with x1 , . . . , xn distinct variables, and t1 , . . . , tn terms, and n ≥ 0. Also, we can assume ti 6= xi . dom(θ) = {x1 , . . . , xn } is called the domain of variables in θ. Lemma 4.11. Proof. By Lemma A.1, we have to show that d1 θ ` c → (x : τ )θ is valid for every x : τ in d2 . Also, we can assume τ 6= ?, otherwise the conclusion is trivial. Moreover, notice that the assumption cθ = c implies that vars(c) ∩ dom(θ) = ∅. First, consider the case x/t ∈ θ for some t. Thus, x 6∈ vars(c). By Lemma A.2 and τ 6= ?, d1 ` c → x : τ valid implies that there exists x : µ in nf (d1 ) such that µ ≥t τ . By Definition 4.9, for every y ∈ vars(t), y : µ is in nf (d1 )θ = nf (d1 θ). By Lemma 2.11, this and µ ≥t τ imply that d1 θ ` true → y : τ is valid. By monotonicity, d1 θ ` c → y : τ is valid for every y ∈ vars(t). By Definition 4.9 and Lemma A.1, this is equivalent to validity of d1 θ ` c → (x : τ )θ. Consider now the case x 6∈ dom(θ). Thus, (x : τ )θ is x : τ . If x 6∈ vars(c), by Lemma A.2 and τ 6= ?, d1 ` c → x : τ valid implies that there exists x : µ in nf (d1 ) such that µ ≥t τ . Since x 6∈ dom(θ), x : µ is in nf (d1 θ) as well. Again by Lemma A.2, we conclude that d1 θ ` c → x : τ valid. If x ∈ vars(c), by Lemma A.2, d1 ` c → x : τ valid implies d ` c → x : τ valid, where d = d1 |vars(c) . Since vars(c) ∩ dom(θ) = ∅, we have dθ = d, and then dθ ` c → x : τ is valid. By monotonicity, from d1 θ ≥t dθ, we conclude that d1 θ ` c → x : τ is valid. A.11 Section 4.4 Theorem 4.18 [(Persistency)]. Proof. Let S = h ← [c, ] A1 , . . . , An kc0 i be well-moded using type substitutions For Ai = p(x : τ × µ), i = 1..n, we denote pre(Ai ) = x : ϑsi (τ ) and post(Ai ) = x : ϑsi (µ). We will show that every resolvent of S and a well-moded clause is well-moded. The final result follows since the initial state hQktruei is wellmoded by hypothesis. If rule R1 is applied, the result is trivial since, by definition, S is well-moded iff h ← A1 , . . . , An kc0 ∧ ci is well-moded. ϑs1 , . . . , ϑsn .

ACM Transactions on Programming Languages and Systems, Vol. V, No. N, M 20YY.

Typing Linear Constraints

·

App–21

Consider now rule R2 . Let A1 = p(x1 , . . . , xh ) and let: ^ h ← c, B1 , . . . , Bk , A2 , . . . , An kc0 ∧ xi = yi i i=1..h

be the resolvent obtained by a renamed apart clause H ← c, B1 , . . . , Bk , where H = p(y1 , . . . , yh ). It is readily checked that renaming apart a well-moded clause yields a well-moded clause as well. Let ϑr1 , . . . , ϑrk be the type substitutions as in Definition 4.17. For Bi = p(x : τ × µ), i = 1..k, we denote pre(Bi ) = x : ϑri (τ ) and post(Bi ) = x : ϑri (µ). Also, for H = p(y : τ × µ), we define pre(H) = y : τ and post(H) = y : µ. We will show that the resolvent is well-moded by using the type substitutions ϑ1 , . . . , ϑk+n−1 defined as follows: ϑi = ϑs1 ◦ϑri for i = 1..k; ϑk+i−1 = ϑsi for i = 2..n. By well-moding of S, ` c0 → pre(A1 ) is valid and has no local type variable. Since 0 c is satisfiable (it is a simple induction on the length of derivations), this implies s that pre(A1 ) is a type V declaration in BT , namely ϑ1 (e) ≥ 0 for every 2e in pre(A1 ). 0 Called c1 = c ∧ i=1..h xi = yi , this implies that ` c1 → pre(H) is valid, where, for H = p(y : τ × µ), pre(H) = y : ϑs1 (τ ) is a type declaration in BT . Let us split the rest of the proof in two steps (a) and (b). (a) For i = 1..k, from well-moding of the (renamed-apart) clause, we have that: pre(H), post(B1 ), . . . , post(Bi−1 ) ` c → pre(Bi ) is valid and has no local type variable. Since R |= c1 ∧ c → c, this implies that: pre(H), post(B1 ), . . . , post(Bi−1 ) ` c1 ∧ c → pre(Bi )

(8)

is valid and has no local type variable. By recalling that no local to output type variable is admitted in parametric modes (see Definition 4.12), a simple induction on i reveals that all type variables in (8) are included in pre(H). We instantiate all of them by ϑs1 as follows: for i = 1..k and Bi = p(x : τ × µ), we denote pre(Bi ) = x : ϑs1 (ϑri (τ )) and post(Bi ) = x : ϑs1 (ϑri (µ)). The following is an instance of (8): pre(H), post(B1 ), . . . , post(Bi−1 ) ` c1 ∧ c → pre(Bi )

(9)

and it is valid. This comes directly from Definition 2.4 of validity of type assertions. Moreover, since pre(H) is in BT , and (9) is an instance of (8), there is no type variable at all in (9). Assume for the moment that it is a type assertion in BT . By monotonicity in BT , ` c1 → pre(H) valid implies that: post(B1 ), . . . , post(Bi−1 ) ` c1 ∧ c → pre(H)

(10)

is valid, and in BT . By the transitivity Lemma 2.12, (9) and (10) imply that: post(B1 ), . . . , post(Bi−1 ) ` c1 ∧ c → pre(Bi )

(11)

is valid. This concludes the proof, since this is the proof obligation of well-moding for type substitutions ϑ1 , . . . , ϑk+n−1 and i = 1..k. Assume now that (9) is not a type assertion in BT . If c1 ∧c is not satisfiable, then validity of (11) is immediate. Let c1 ∧ c be satisfiable. Since (9) contains no type variable, it is not in BT only if for some type 2e in post(B1 ), . . . , post(Bi−1 ), pre(Bi ) we have e < 0, namely (9) is not in BT due to malformed syntax. ACM Transactions on Programming Languages and Systems, Vol. V, No. N, M 20YY.

App–22

·

S. Ruggieri and F. Mesnard

If some type 2e in post(B1 ), . . . , post(Bi−1 ) is such that e < 0, then (11) is valid, since φ(post(B1 ), . . . , post(Bi−1 )) has no solution (it includes the always false constraint e ≥ 0). Finally, consider the case that for all types 2e in post(B1 ), . . . , post(Bi−1 ), we have e ≥ 0. This means that there is some type 2e in pre(Bi ) such that e < 0. Since c1 ∧ c is satisfiable, we can extend one of its solutions to a solution of φ(d) ∧ c1 ∧ c, where d is pre(H), post(B1 ), . . . , post(Bi−1 ). This solution would show that d ` c1 ∧ c → pre(Bi ) is invalid (as a type assertion in PT ), which is absurd since such a type assertion is (9), which was shown to be valid. (b) Since S is well-moded, for i = 1..n: post(A1 ), post(A2 ), . . . , post(Ai−1 ) ` c0 → pre(Ai )

(12)

is valid and has no local type variable. By recalling that no local to output type variable is admitted in parametric modes (see Definition 4.12), a simple induction on i reveals that there is no type variable at all. Also, by reasoning as in (a): post(B1 ), . . . , post(Bk ) ` c1 ∧ c → post(H) is valid and contains no type variable, where post(H) = y : ϑs1 (µ) for H = p(y : τ × µ). Since A1 = p(x : τ × µ), post(A1 ) = x : ϑs1 (µ), and x = y is in c1 , validity of the last type assertion implies that: post(B1 ), . . . , post(Bk ) ` c1 ∧ c → post(A1 )

(13)

is valid and contains no type variable. Assume for the moment that the type assertions (12) and (13) are in BT . First, by monotonicity on (12), for i = 2..n: post(B1 ), . . . , post(Bk ), post(A1 ), post(A2 ), . . . , post(Ai−1 ) ` c1 ∧ c → pre(Ai )(14) is valid. Second, by monotonicity on (13), for i = 2..n: post(B1 ), . . . , post(Bk ), post(A2 ), . . . , post(Ai−1 ) ` c1 ∧ c → post(A1 )

(15)

is valid. By the transitivity Lemma 2.12, (15) and (14) imply, for i = 2..n: post(B1 ), . . . , post(Bk ), post(A2 ), . . . , post(Ai−1 ) ` c1 ∧ c → pre(Ai )

(16)

is valid. This concludes the proof, since this is the proof obligation of well-moding for type substitutions ϑ1 , . . . , ϑk+n−1 and i = k + 1..k + n − 1. Assume now that (12) or (13) is not in BT . If c1 ∧ c is unsatisfiable then (16) is trivially valid. Let c1 ∧ c be satisfiable. Since (12) and (13) contain no type variable, this means that for some type 2e in (12) or in (13), we have e < 0. If for some type 2e in post(B1 ), . . . , post(Bk ), post(A2 ), . . ., post(Ai−1 ) we have e < 0, then (16) is trivially valid. Also, post(A1 ) does not contain any 2e with e < 0. Otherwise, since c1 ∧ c is satisfiable, we can extend one of its solutions to a solution of φ(d) ∧ c1 ∧ c, where d is post(B1 ), . . . , post(Bk ). This solution would show that d ` c1 ∧ c → post(A1 ) is invalid (as a type assertion in PT ), which is absurd since such a type assertion is (13), which was shown to be valid. Finally, with the same reasoning we can show that pre(Ai ) in (12) does not contain any 2e with e < 0. ACM Transactions on Programming Languages and Systems, Vol. V, No. N, M 20YY.